Try JFrog
Guides
Contact SupportTry JFrog
  1. Platform Administration

JFrog Bridge

📘

Subscription Information

JFrog Bridge is available to Enterprise+ subscriptions upon request. To enable this feature, contact JFrog Customer Success.

Overcoming Network Security Barriers in Hybrid Environments

Hybrid JFrog deployments combine SaaS JPDs in the JFrog cloud with Self-managed JPD servers hosted on your premises, behind corporate firewalls.

JFrog Federation services are a growing number of JFrog offerings that automatically sync repositories, access information, and distribution processes across multiple JPDs. Large subscriptions benefit from centralized, consistent, hands-off management of access, security, and SDLC processes.

Federated features need SaaS and Self-managed JPDs to communicate and sync - but in hybrid deployments, corporate security policies often block inbound connections to private infrastructure. Behind the firewall, Self-managed JPDs cannot participate in federated services.

To solve this, the JFrog Bridge establishes secure, persistent communication between SaaS JPDs and JPDs hosted behind on-premises firewalls. To comply with security policies, the Bridge reverses the connection direction — the Self-managed JPD initiates an outbound TCP connection to the SaaS JPD. Once established, the Bridge connection is transparent to higher-level workflows. Platform services communicate as over a direct connection.

This method offers several advantages:

No inbound firewall exceptions: The Bridge Client on the Self-managed JPD initiates private outbound connections to the SaaS JPD using standard HTTP. No inbound ports or firewall exceptions are required.

No VPN or complex network infrastructure: The Bridge operates as an application layer tunnel. Without site-to-site VPNs, cloud peering, or private link configurations, infrastructure costs and operational overhead are significantly reduced..

End-to-end security with existing certificates: Bridge connections and forwarded API requests authenticate using the Self-managed JPD’s own CA certificates. Existing trust boundaries are maintained without third-party certificate dependencies.

Proxy support: Bridge services inherit the platform's default proxy configuration, and administrators can reconfigure proxy settings per bridge.

Configurable auto-scale: Each Bridge dynamically adds independent TCP tunneling sessions based on traffic demand, within configured ranges.

Granular topology management: Each Bridge can be stopped, restarted, edited, deleted, blocked, or unblocked independently at the SaaS or Self-managed JPD, using the Platform UI or REST APIs.

Observability: The Bridge Client and Server expose APIs for health checks (liveness/readiness), Prometheus metrics, debug snapshots, and support bundles. Bridge services write to standard JFrog service logs, and TRACE-level logging can be enabled.

🐸

Learn more about JFrog Bridge at JFrog Academy!

Common Use Cases

Services on the SaaS JPD use the encrypted, persistent JFrog Bridge connection to forward requests to the Self-managed JPD. This allows sync of on-premises JPDs with other JPDs in Federated multisite services.

Access Federation: The SaaS JPD forwards identity and access management requests through the Bridge to the Self-managed JPD for centralized user, group, and permission management across the entire hybrid topology.

Repository Federation: When a Federated repository on the SaaS JPD includes Self-managed JPDs, the Bridge enables artifact sync between SaaS and Self-managed JPDs.

Distribution to Self-managed edge nodes: The Distribution service on the SaaS JPD forwards release bundles and management requests through the Bridge to Self-managed Edge node JPDs at remote, protected sites.

How JFrog Bridges Work

A JFrog Bridge connects a Bridge Server JPD to a Bridge Client JPD:

  • SaaS JPDs act as Bridge Servers. Contact JFrog Customer Success to verify that the Bridge service is enabled for JPDs in your SaaS environment.
  • Self-managed JPDs act as Bridge Clients. You must install the Bridge Client service on these JPDs.

The Bridge Client establishes a persistent, outbound TCP connection to the Bridge Server with an HTTP Upgrade request. This creates a secure tunnel compatible with corporate firewalls. The Bridge Client service initiates new independent TCP tunneling sessions to the Bridge Server as traffic demands, within configurable ranges.

A registration token secures the Bridge connection. JSON Web Tokens (JWTs) authenticate forwarded API requests. Authentication uses your self-managed environment's custom CA certificates.

Resilient, auto-scaling topologies are easily created:

  • Bridges are typically grouped in a one-to-many architecture: a single SaaS Bridge Server securely communicates with Bridge Clients on multiple, independent Self-managed JPDs.
  • To support High Availability, multiple nodes of the Bridge Client and Server services can be created.